Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Beating memory address randomization (secuirty) features in Unix/Linux

Re: Beating memory address randomization (secuirty) features in Unix/Linux

From: The Jabberwock <jabberwock_at_tenebrous.com>
Date: Tue, 04 Apr 2006 00:08:23 -0400

As long as libc is linked in the vulnerable program it can be returned
to, and the shellcode generated is often significantly smaller than
typical syscall shellcode.

Do you have the gdb output portraying the libc function addresses that
begin with nullbytes?

The Jabberwock

Kaveh Razavi wrote:

>I saw null byte at the first byte of libc addresses like system execve etc..
>I was running 2.6.13 kernel on a x86 32 bit architecture ( slackware 10.2 )
>also I saw it when I tried to exploit a tiny application on another 32/x86
>running a 2.6.10 kernel ( slackware 10 ) .
>I checked again ( after your reply ) on my new 64/x86 running the lastest
>version of kernel ( 2.6.16 slackware 10.2 ) and there was no null byte at
>the first.
>thanks for your reply but no idea if ret-tolibc is always possible .
>
>Kaveh Razavi
>Network Security Researcher
>
>
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>
>>Erm, what "distros" are you talking about? I run the latest
>>Gentoo on sparc64, pa-risc and ppc and none of them
>>have a nil byte in libc addresses. Besides, that doesn't
>>always matter.
>>
>>Think deeper, you're not always working with strings.
>>
>>Below are some pastes of functionality on different
>>architectures. Notice the only one that actually shows
>>nil bytes is sparc64, but you wont have to worry about
>>that because you're not going to jump to the first 255
>>bytes.
>>
>>Don "north" Bailey
>>
>>Here's SuSE on x86
>>
>>givingtree.north % ./showstack
>>&buffer[0]=bf9947b7
>>givingtree.north % ./showstack
>>&buffer[0]=bff50067
>>givingtree.north % ldd ./showstack
>> linux-gate.so.1 => (0xffffe000)
>> libc.so.6 => /lib/tls/libc.so.6 (0xb7e39000)
>> /lib/ld-linux.so.2 (0xb7f59000)
>>givingtree.north % uname -mr
>>2.6.16-rc6-givingtree i686
>>givingtree.north %
>>
>>
>>Here's Gentoo on PA-RISC
>>
>>visualize.north % ./showstack
>>&buffer[0]=faf2c5c8
>>visualize.north % ./showstack
>>&buffer[0]=fb16a5c8
>>visualize.north % ldd showstack
>> libc.so.6 => /lib/libc.so.6 (0x406ad000)
>> /lib/ld.so.1 => /lib/ld.so.1 (0x4037d000)
>>visualize.north % uname -mr
>>2.6.16-rc5-visualize parisc
>>visualize.north %
>>
>>
>>Here's Gentoo on sparcv9
>>
>>blueberry.snow % ./showstack
>>&buffer[0]=ef80d997
>>blueberry.snow % ./showstack
>>&buffer[0]=efeed997
>>blueberry.snow % ldd showstack
>> libc.so.6 => /lib/libc.so.6 (0x70030000)
>> /lib/ld-linux.so.2 (0x70000000)
>>blueberry.snow % uname -mr
>>2.6.16.1-blueberry sparc64
>>blueberry.snow %
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>-----BEGIN PGP SIGNATURE-----
>>Version: PGP Desktop 9.0.5 (Build 5050)
>>
>>iQA/AwUBRC2mpV/Ie1ANMtLuEQKRCgCg0xBuYb2UX66el7eKeA3LDNhsXGoAn32k
>>HVnpOIYhjgAzCzoDeSd7V5G/
>>=o9Xn
>>-----END PGP SIGNATURE-----
>>
>>
>>
>>
>
>
>
Received on Apr 04 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos